Security Best Practices

Security Guides Security Best Practices Guidelines

Follow these security best practices to ensure your authentication implementation is secure.

Token Storage

Never store tokens in localStorage
Use httpOnly cookies when possible
Implement secure token refresh flows

PKCE Implementation

Always use PKCE for public clients:

const codeVerifier = generateRandomString();
const codeChallenge = await sha256(codeVerifier);

auth.loginWithRedirect({
  code_challenge: codeChallenge,
  code_challenge_method: 'S256'
});

API Security

Always use HTTPS
Validate tokens on every request
Implement rate limiting

XSS Prevention

// Sanitize user input
const sanitized = DOMPurify.sanitize(userInput);

CSRF Protection

Use SameSite cookies
Implement CSRF tokens
Validate Origin headers

Regular security audits and penetration testing are recommended.

January 20, 2024

Rate Limiting Configuration

Security Configuration Rate Limiting Security Api

Protect your authentication endpoints with configurable rate limiting rules.

Basic Configuration

rateLimits:
  login:
    windowMs: 900000 # 15 minutes
    max: 5 # limit each IP to 5 requests per windowMs
  register:
    windowMs: 3600000 # 1 hour
    max: 3
  passwordReset:
    windowMs: 3600000
    max: 3

Custom Rules

const customLimiter = rateLimit({
  keyGenerator: (req) => {
    return req.headers['x-api-key'] || req.ip;
  },
  handler: (req, res) => {
    res.status(429).json({
      error: 'Too many requests',
      retryAfter: 60
    });
  }
});

Redis-Based Rate Limiting

const redisStore = new RedisStore({
  client: redisClient,
  prefix: 'rl:'
});

const limiter = rateLimit({
  store: redisStore,
  windowMs: 15 * 60 * 1000,
  max: 100
});

Bypass Rules

const bypassList = ['trusted-ip-1', 'trusted-ip-2'];

if (bypassList.includes(req.ip)) {
  return next();
}

For distributed rate limiting, see our scaling guide.

January 5, 2024

Password Policy Configuration

Security Configuration Passwords Security Policies

Configure password policies to enforce strong authentication security standards.

Basic Policy Configuration

{
  "passwordPolicy": {
    "minLength": 12,
    "requireUppercase": true,
    "requireLowercase": true,
    "requireNumbers": true,
    "requireSpecialChars": true,
    "maxLength": 128
  }
}

Advanced Rules

const advancedPolicy = {
  preventCommonPasswords: true,
  preventUserInfo: true,
  minUniqueChars: 5,
  preventRepeatingChars: 3,
  preventSequentialChars: 3
};

Password History

passwordHistory:
  enabled: true
  rememberCount: 5
  minimumAgeDays: 1

Expiration Policy

const expirationPolicy = {
  enabled: true,
  expirationDays: 90,
  warningDays: 14,
  gracePeriodDays: 7
};

Breach Detection

auth.passwordPolicy.enableBreachDetection({
  checkAgainstLeaks: true,
  autoForceReset: true,
  notifyUser: true
});

For custom validation rules and enterprise policies, see our security guide.